Reported

June 21, 2026

Issued

June 26, 2026

Package

lopdf (crates.io)

Type

Vulnerability

Categories

• denial-of-service

Keywords

#dos #stack-overflow #recursion #untrusted-input #pdf

References

• https://github.com/J-F-Liu/lopdf/issues/502
• https://github.com/J-F-Liu/lopdf/pull/503
• https://github.com/J-F-Liu/lopdf/commit/c755394

CVSS Score

7.5 HIGH

CVSS Details

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

None

Integrity Impact

None

Availability Impact

High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Patched

• >=0.42.0

Description

lopdf::Document::load_mem (and the other load* entry points) parses nested PDF arrays and dictionaries with unbounded recursion. A small crafted PDF whose Catalog contains a deeply nested array (/X [[[ … ]]], on the order of 10,000 levels) exhausts the call stack and aborts the process with SIGABRT.

Because this is a stack-overflow abort rather than a panic!, it cannot be caught with catch_unwind: any service that parses untrusted PDF input with lopdf can be crashed by a ~21 KB file, resulting in a denial of service.

Confirmed on lopdf 0.41.0 and earlier; fixed in 0.42.0. Default configuration, no features changed.

Proof of concept

fn main() {
    let bytes = std::fs::read("poc.pdf").unwrap(); // ~10,380-deep nested array in the Catalog
    let _ = lopdf::Document::load_mem(&bytes);     // stack overflow -> SIGABRT
}

An equivalent PoC is a minimal PDF whose Catalog /X value is "[" * 10380 + "]" * 10380.

Suggested fix

Enforce a maximum object-nesting depth in the parser and return an Err instead of recursing without bound.

Advisory available under CC0-1.0 license.